Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method comprising: intercepting network traffic, by a network security device protecting a private network, directed to an intended recipient associated with the private network; identifying, by the network security device, existence of a media file within the network traffic; performing a pre-match inspection, by the network security device, of the media file by: generating a signature of the media file; and detecting presence of a potentially malicious hidden data item in a form of encoded data within one or more of a digital watermark, steganography and a barcode embedded in the media file by comparing the generated signature with a plurality of signatures of known unsafe media files; when no threat is identified as being associated with the media file by the pre-match inspection, then determining, by the network security device, whether the potentially malicious hidden data item violates a security policy of a plurality of security policies of the private network enforced by the network security device by performing local content inspection processing of the media file by decoding the encoded data and applying a content filter to a result of said decoding; when no threat is identified as being associated with the media file by the local content inspection processing, causing, by the network security device, a remote or cloud-based network security appliance external to the private network to perform further evaluation of the media file by sending the media file or the generated signature to the remote or cloud-based network security appliance; when no threat is identified as being associated with the media file by the remote or cloud-based network security appliance, then allowing, by the network security device, the network traffic to be delivered to the intended recipient; and when a threat is identified as being associated with the media file by any of the pre-match inspection, the local content evaluation and the remote or cloud-based network security appliance, then blocking, by the network security device, delivery of the network traffic to the intended recipient.
The invention relates to network security systems designed to detect and prevent malicious hidden data in media files transmitted to a private network. The system intercepts incoming network traffic directed to a recipient within the private network and scans for media files. Upon detecting a media file, the system performs a pre-match inspection by generating a signature of the file and comparing it against a database of known malicious media file signatures to identify hidden data such as digital watermarks, steganography, or barcodes. If no threat is found, the system then performs local content inspection by decoding the hidden data and applying content filters to check for policy violations. If no threat is detected, the media file or its signature is sent to a remote or cloud-based security appliance for further evaluation. Only if all inspections pass without detecting threats is the traffic delivered to the recipient. If any inspection identifies a threat, the traffic is blocked. This multi-layered approach ensures comprehensive detection of malicious content while minimizing false positives through progressive validation.
2. The method of claim 1 , wherein the content filter comprises a Uniform Resource Locator (URL) filter.
A system and method for filtering digital content involves a content filter that includes a Uniform Resource Locator (URL) filter. The URL filter is designed to block or restrict access to specific web addresses or domains based on predefined criteria. This filtering mechanism can be used to enhance security, enforce compliance, or manage access to online resources. The URL filter may operate by comparing incoming requests against a database of blocked or allowed URLs, applying pattern matching, or using other techniques to identify and filter unwanted web traffic. The system may also include additional filtering layers, such as keyword filtering, category-based filtering, or behavioral analysis, to provide comprehensive content control. The URL filter can be integrated into network security tools, web browsers, or enterprise-level access management systems to ensure that users or devices comply with predefined content policies. This approach helps prevent access to malicious, inappropriate, or unauthorized websites, improving cybersecurity and operational efficiency.
3. The method of claim 2 , wherein the security policy contains information indicative of a URL known to be associated with malicious activities.
A system and method for detecting and mitigating malicious activities in network communications involves analyzing network traffic to identify and block connections to URLs known to be associated with malicious activities. The method includes monitoring network traffic to detect outgoing requests to external URLs, comparing these URLs against a security policy that contains a list of known malicious URLs, and blocking or restricting access to any URLs that match entries in the security policy. The security policy may be dynamically updated to include newly identified malicious URLs, ensuring that the system remains effective against evolving threats. The system may also log and report detected malicious activity for further analysis or remediation. This approach helps prevent users from accessing harmful websites, reducing the risk of malware infections, data breaches, or other security incidents. The method can be implemented in network security devices such as firewalls, gateways, or endpoint protection software to enhance overall network security.
4. The method of claim 2 , wherein the security policy contains information indicative of a URL associated with a blacklisted website.
A system and method for network security involves monitoring and controlling access to websites based on predefined security policies. The technology addresses the problem of unauthorized access to malicious or restricted websites, which can expose users to security threats such as malware, phishing, or data breaches. The method includes analyzing network traffic to identify requests to access websites and comparing the requested URLs against a security policy that contains a list of blacklisted websites. If a requested URL matches an entry in the blacklist, the system blocks the access attempt, preventing the user from reaching the restricted site. The security policy may be dynamically updated to include new blacklisted URLs as threats are identified, ensuring continuous protection. This approach enhances network security by proactively filtering out harmful or unauthorized web traffic, reducing the risk of cyberattacks and data compromise. The system can be deployed in various network environments, including enterprise networks, home networks, or cloud-based security services, to enforce consistent access controls across different devices and users.
5. The method of claim 2 , wherein the security policy contains information indicative of a URL that redirects to or is otherwise associated with a blacklisted website.
A method for enhancing web security by detecting and blocking access to malicious websites. The method involves analyzing security policies to identify URLs that redirect to or are otherwise associated with blacklisted websites. When a user attempts to access a URL, the system checks whether the URL or any redirects linked to it are listed in a blacklist of known malicious or harmful websites. If a match is found, the system prevents access to the URL, thereby protecting the user from potential security threats such as malware, phishing, or other malicious activities. The security policy may include rules that define which URLs are considered unsafe, and these rules are dynamically updated to reflect the latest threat intelligence. The method ensures that users are protected from both direct access to blacklisted sites and indirect access through redirects, improving overall web security.
6. The method of claim 1 , wherein the media file comprises an image file or a video file.
7. The method of claim 1 , wherein the barcode comprises a linear barcode or a matrix barcode.
A system and method for barcode-based data encoding and decoding involves generating and reading barcodes that can be either linear or matrix types. The barcode is generated by encoding data into a visual pattern, which can be a one-dimensional linear barcode or a two-dimensional matrix barcode. The encoded data is then printed or displayed as the barcode, which can be scanned by a barcode reader to retrieve the original information. The system ensures compatibility with existing barcode standards and supports various data formats. The method includes steps for error correction, data compression, and formatting to optimize barcode readability and storage efficiency. The barcode can be used in applications such as inventory management, product labeling, and document tracking, where reliable and efficient data encoding is required. The system may also include a validation step to verify the integrity of the decoded data. The barcode generation and reading processes are designed to work across different devices and platforms, ensuring broad applicability. The method ensures that the barcode remains functional even under varying environmental conditions, such as lighting or surface reflections.
8. The method of claim 1 , wherein the generated signature comprises a cryptographic hash value.
A method for generating a cryptographic signature involves creating a unique identifier for data by applying a cryptographic hash function. The generated signature is a cryptographic hash value, which is a fixed-size string of characters derived from the input data using a one-way mathematical function. This process ensures data integrity and authenticity, as even minor changes to the input data produce a significantly different hash value. The method may also include steps such as selecting the data to be signed, applying the hash function, and optionally verifying the signature by comparing it to a recomputed hash of the same data. Cryptographic hash functions, such as SHA-256 or SHA-3, are commonly used to produce these signatures, which are resistant to collision attacks and preimage attacks. The method can be applied in various security applications, including digital signatures, data verification, and blockchain transactions, where ensuring the integrity and authenticity of data is critical. The use of a cryptographic hash value as the signature provides a secure and efficient way to validate data without exposing the original content.
9. The method of claim 1 , further comprising when the threat is identified as being associated with the media file by any of the pre-match inspection, the local content evaluation and the remote or cloud-based network security appliance, then adding, by the network security device, the generated signature to a local database of known unsafe media files maintained by the network security device.
This invention relates to network security systems for identifying and mitigating threats associated with media files. The problem addressed is the detection of malicious or unsafe media files (e.g., videos, images, audio) that may bypass traditional security measures. The system employs multiple layers of inspection to analyze media files before they are accessed or transmitted. These layers include pre-match inspection, local content evaluation, and remote or cloud-based network security appliance analysis. If any of these layers identifies a threat, the system generates a signature for the unsafe media file and adds it to a local database of known unsafe media files. This database is maintained by the network security device to enhance future threat detection and prevention. The approach ensures that once a media file is flagged as unsafe, subsequent attempts to access or transmit it are blocked, improving overall network security. The system dynamically updates its threat intelligence by incorporating new signatures from detected threats, allowing for proactive defense against evolving media-based attacks.
10. A network security device comprising: a non-transitory storage device having embodied therein one or more modules of a firewall and an Intrusion Prevention System (IPS) engine; and one or more processors coupled to the non-transitory storage device and operable to execute the one or more modules to perform a method comprising: intercepting network traffic directed to an intended recipient associated with a private network protected by the network security device; identifying existence of a media file within the network traffic; performing a pre-match inspection of the media file by: generating a signature of the media file; and detecting presence of a potentially malicious hidden data item in a form of encoded data within one or more of a digital watermark, steganography and a barcode embedded in the media file by comparing the generated signature with a plurality of signatures of known unsafe media files; when no threat is identified as being associated with the media file by the pre-match inspection, then determining whether the potentially malicious hidden data item violates a security policy of a plurality of security policies of the private network enforced by the network security device by performing local content inspection processing of the media file by decoding the encoded data and applying a content filter to a result of said decoding; when no threat is identified as being associated with the media file by the local content inspection processing, causing a remote or cloud-based network security appliance external to the private network to perform further evaluation of the media file by sending the media file or the generated signature to the remote or cloud-based network security appliance; when no threat is identified as being associated with the media file by the remote or cloud-based network security appliance, then allowing the network traffic to be delivered to the intended recipient; and when a threat is identified as being associated with the media file by any of the pre-match inspection, the local content evaluation and the remote or cloud-based network security appliance, then blocking delivery of the network traffic to the intended recipient.
Network security devices protect private networks from malicious threats, including hidden data in media files. A network security device includes a firewall and an Intrusion Prevention System (IPS) engine to inspect network traffic directed to a protected private network. The device intercepts incoming traffic and identifies media files within it. A pre-match inspection is performed by generating a signature of the media file and comparing it against signatures of known unsafe media files to detect hidden malicious data, such as encoded data in digital watermarks, steganography, or barcodes. If no threat is found, the device further evaluates the media file by decoding the hidden data and applying a content filter to check for policy violations. If no threat is detected, the media file is sent to a remote or cloud-based security appliance for additional evaluation. Only if all inspections confirm the file is safe is the traffic delivered to the intended recipient. If any inspection identifies a threat, the traffic is blocked. This multi-layered approach ensures comprehensive protection against hidden malicious content in media files.
11. The network security device of claim 10 , wherein the content filter comprises a Uniform Resource Locator (URL) filter.
A network security device includes a content filter that inspects and controls data traffic passing through a network. The device monitors incoming and outgoing network communications to enforce security policies, such as blocking malicious or unauthorized content. The content filter specifically includes a Uniform Resource Locator (URL) filter, which examines web addresses accessed by users or applications within the network. The URL filter compares requested URLs against a predefined list of allowed or blocked domains, preventing access to harmful or restricted websites. This helps mitigate risks like phishing, malware distribution, and data leaks by restricting access to known malicious or inappropriate web resources. The device may also include additional filtering mechanisms, such as application-layer inspection, to further enhance security by analyzing the content of network packets beyond just URL-based filtering. The URL filter operates in real-time, dynamically blocking or allowing traffic based on the URL's reputation or predefined rules, ensuring continuous protection against evolving online threats.
12. The network security device of claim 11 , wherein the security policy contains information indicative of a URL known to be associated with malicious activities.
A network security device monitors and filters network traffic to detect and block malicious activities. The device includes a security policy that contains information identifying URLs known to be associated with malicious activities, such as phishing, malware distribution, or other cyber threats. The device analyzes incoming network traffic, compares it against the security policy, and blocks or restricts access to any URLs listed in the policy. The security policy may be dynamically updated to include new malicious URLs as they are identified, ensuring continuous protection against evolving threats. The device may also log and report blocked attempts to access malicious URLs for further analysis and threat intelligence. This approach helps prevent users from inadvertently accessing harmful websites, reducing the risk of data breaches, malware infections, and other security incidents. The device may operate at the network perimeter, within an internal network, or as part of an endpoint security solution, providing flexible deployment options for different security architectures. The system may also integrate with threat intelligence feeds to automatically update the security policy with the latest malicious URL data.
13. The network security device of claim 11 , wherein the security policy contains information indicative of a URL associated with a blacklisted website.
A network security device monitors and filters network traffic to protect against cyber threats. The device includes a security policy that identifies malicious or unauthorized network activity. The security policy contains information about a URL associated with a blacklisted website, which is a website known to host malware, phishing attacks, or other security risks. When the device detects network traffic attempting to access this blacklisted URL, it blocks the connection to prevent security breaches. The device may also log the attempt for further analysis. The security policy can be updated dynamically to include new blacklisted URLs as threats are identified. This ensures continuous protection against emerging cyber threats. The device may operate at the network perimeter, such as a firewall or gateway, or within an internal network to enforce security policies across multiple devices. The system may also integrate with threat intelligence feeds to automatically update the blacklist. This approach helps organizations mitigate risks from malicious websites and maintain secure network environments.
14. The network security device of claim 11 , wherein the security policy contains information indicative of a URL that redirects to or is otherwise associated with a blacklisted website.
A network security device monitors and filters network traffic to prevent access to malicious or unauthorized websites. The device includes a security policy that identifies URLs associated with blacklisted websites, which are known to be harmful or restricted. When a user attempts to access a URL that redirects to or is linked with a blacklisted site, the device blocks the request, preventing the user from reaching the dangerous destination. The security policy may also include additional rules for detecting and mitigating threats, such as malware, phishing, or other cybersecurity risks. The device analyzes incoming and outgoing traffic in real-time, comparing URLs against the blacklist to enforce the security policy. If a match is found, the device either blocks the connection or redirects the user to a safe page, depending on the configured policy. This proactive approach helps protect users and networks from potential security breaches by intercepting and stopping access to harmful websites before any damage occurs. The system may also log and report blocked attempts for further analysis and policy refinement.
15. The network security device of claim 10 , wherein the media file comprises an image file or a video file.
A network security device monitors and analyzes media files transmitted over a network to detect and prevent malicious activities. The device includes a processing unit that examines incoming media files, such as image or video files, for potential security threats. The processing unit identifies suspicious patterns, anomalies, or embedded malicious content within the media files, such as hidden malware, malicious scripts, or unauthorized data exfiltration attempts. The device also includes a filtering module that blocks or quarantines media files that are determined to be malicious, preventing them from reaching their intended destination. Additionally, the device may log and report detected threats for further analysis and remediation. The system ensures that media files transmitted over the network do not compromise the security of the network or its connected devices. The device operates in real-time, continuously scanning media files as they are transmitted, and can be integrated into existing network infrastructure to enhance overall security. This approach addresses the challenge of detecting and mitigating threats hidden within media files, which are increasingly used as vectors for cyberattacks.
16. The network security device of claim 10 , wherein the barcode comprises a linear barcode or a matrix barcode.
A network security device is designed to enhance authentication and access control in secure environments. The device includes a barcode scanner configured to read barcodes, which may be either linear or matrix types, such as QR codes. The barcode contains encoded authentication data, which the device decodes to verify user credentials or device permissions. This allows for secure, contactless access to restricted systems or areas. The device may also include additional security features, such as encryption or multi-factor authentication, to prevent unauthorized access. The barcode-based approach simplifies authentication processes while maintaining high security standards, reducing reliance on traditional methods like passwords or physical keys. The system is particularly useful in environments requiring rapid, scalable, and tamper-resistant access control, such as corporate networks, data centers, or secure facilities. The barcode scanner ensures compatibility with widely used barcode formats, making the solution adaptable to various existing infrastructure setups.
17. The network security device of claim 10 , wherein the generated signature comprises a cryptographic hash value.
A network security device monitors network traffic to detect and prevent malicious activities. The device analyzes incoming data packets to identify patterns or anomalies indicative of cyber threats, such as malware, unauthorized access, or data exfiltration. To enhance detection accuracy, the device generates a signature for each detected threat, which is a unique identifier used to recognize similar threats in future traffic. This signature is derived from the threat's characteristics, such as packet structure, payload content, or behavioral patterns. In an advanced implementation, the signature includes a cryptographic hash value, which is a fixed-length string generated by applying a cryptographic hash function to the threat's data. This hash value provides a tamper-proof representation of the threat, ensuring that even minor modifications to the threat's data result in a different hash, thereby improving detection reliability. The device stores these signatures in a database for real-time comparison against new traffic, enabling rapid identification and mitigation of recurring threats. This approach enhances network security by reducing false positives and improving the efficiency of threat detection mechanisms.
18. The network security device of claim 10 , wherein the method further comprises when the threat is identified as being associated with the media file by any of the pre-match inspection, the local content evaluation and the remote or cloud-based network security appliance, then adding the generated signature to a local database of known unsafe media files maintained by the network security device.
This invention relates to network security devices that analyze media files for threats. The problem addressed is the need to efficiently detect and block malicious media files, such as those containing malware, exploits, or other security risks, while minimizing false positives and ensuring timely threat identification. The network security device inspects media files using multiple layers of analysis. First, a pre-match inspection checks the file against a local database of known unsafe media files. If no match is found, the device performs a local content evaluation to analyze the file's structure, metadata, and other attributes for potential threats. If the local evaluation is inconclusive, the file is sent to a remote or cloud-based network security appliance for deeper analysis. If any of these inspection methods identifies a threat, the device generates a signature for the malicious file and adds it to the local database of known unsafe media files. This ensures that future instances of the same or similar threats can be detected more quickly, improving overall network security. The system dynamically updates its threat database based on real-time analysis, allowing for proactive defense against emerging threats in media files. This multi-layered approach enhances detection accuracy and reduces reliance on external systems for threat identification.
Unknown
January 2, 2018
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.